platform_external_minijail/libminijail.h, branch pie-dev Unnamed repository; edit this file 'description' to name the repository. extend -K to accept a mount propagation type 2018-02-28T16:48:55+00:00 Mike Frysinger vapier@google.com 2018-02-23T20:47:24+00:00 785b1c3b309dd50b93ae03a9da125e031a9041d9 By default, minijail will mark all mounts as private. The -K flag allows them to skip that step which will retain all existing mount settings. We now have scenarios where we want to share some mount points, so lets extend -K to accept the propagation mode. This lets people use -Kslave and mark all the mount points as slaves. Bug: chromium:813131 Test: `make check` and using -Kslave allows changes in the parent namespace Change-Id: I571e402a383ecf60a6104f87ef97b76710a34d38 
By default, minijail will mark all mounts as private.  The -K flag
allows them to skip that step which will retain all existing mount
settings.  We now have scenarios where we want to share some mount
points, so lets extend -K to accept the propagation mode.  This lets
people use -Kslave and mark all the mount points as slaves.

Bug: chromium:813131
Test: `make check` and using -Kslave allows changes in the parent namespace
Change-Id: I571e402a383ecf60a6104f87ef97b76710a34d38
Use rlim_t for the arguments in minijail_rlimit() 2018-01-29T21:39:32+00:00 Luis Hector Chavez lhchavez@google.com 2018-01-29T16:41:34+00:00 7058a2debe9c1b842b8788aea8cb1fc54765a0f3 This changes the type used to pass the value of the limit from uint32_t to rlim_t, which makes it possible to pass in RLIM_INFINITY in 64-bit environments. Bug: None Test: minijail_rlimit(j, RLIMIT_STACK, RLIM_INFINITY, RLIM_INFINITY); Change-Id: I6bbf956974c7f28a2e0bb8ad3efb4d25c5675593 
This changes the type used to pass the value of the limit from uint32_t
to rlim_t, which makes it possible to pass in RLIM_INFINITY in 64-bit
environments.

Bug: None
Test: minijail_rlimit(j, RLIMIT_STACK, RLIM_INFINITY, RLIM_INFINITY);
Change-Id: I6bbf956974c7f28a2e0bb8ad3efb4d25c5675593
add an option to set up a minimal /dev 2017-10-05T06:29:22+00:00 Mike Frysinger vapier@google.com 2017-01-14T00:53:19+00:00 33ffef38b5de583f2439844b946eda0d522f0179 (high level design) This will unmount the outside /dev to help remove access to existing device nodes, and then set up a small tmpfs over /dev with a minimal set of safe/common nodes. Most daemons do not need more than these. (low level details) In order to support common use cases like passing in one or two extra device nodes (e.g. /dev/log), we cannot mess with /dev directly. We create a temporary directory, create all our nodes in there, then add any bind mounts into /dev to that path. Then just before we chroot or pivot, we move the mount from its temp location to the final /dev. Bug: chromium:680859 Test: `sudo ./minijail0 -rvpd /bin/ls -l /dev/` shows reduced # of files Test: `sudo ./minijail0 -rvpd /bin/grep /dev /proc/mounts` shows only one /dev mount Test: `sudo ./minijail0 -rvpd -C / -b /dev/log,/dev/log /bin/logger asdf` allows logging to work Test: `sudo ./minijail0 -rvpd -C /var/empty -b /,/ -b /dev/mixer,/dev/mixer /bin/ls -l /dev/` shows /dev/mixer Change-Id: Ie91869971baffde0b86c5d244c584e45099abe7e 
(high level design)
This will unmount the outside /dev to help remove access to existing
device nodes, and then set up a small tmpfs over /dev with a minimal
set of safe/common nodes.  Most daemons do not need more than these.

(low level details)
In order to support common use cases like passing in one or two extra
device nodes (e.g. /dev/log), we cannot mess with /dev directly.  We
create a temporary directory, create all our nodes in there, then add
any bind mounts into /dev to that path.  Then just before we chroot
or pivot, we move the mount from its temp location to the final /dev.

Bug: chromium:680859
Test: `sudo ./minijail0 -rvpd /bin/ls -l /dev/` shows reduced # of files
Test: `sudo ./minijail0 -rvpd /bin/grep /dev /proc/mounts` shows only one /dev mount
Test: `sudo ./minijail0 -rvpd -C / -b /dev/log,/dev/log /bin/logger asdf` allows logging to work
Test: `sudo ./minijail0 -rvpd -C /var/empty -b /,/ -b /dev/mixer,/dev/mixer /bin/ls -l /dev/` shows /dev/mixer

Change-Id: Ie91869971baffde0b86c5d244c584e45099abe7e
Add minijail_fork 2017-09-27T19:12:28+00:00 Dylan Reid dgreid@chromium.org 2017-08-24T18:33:15+00:00 0412dcc954b5b23fcf7e4a145de7d74a8943fc4d Provide a method to fork and jail a child process. This is useful for users that would normally call fork followed by minijail_enter in the child. However this allows for user and pid namespaces to be set up by the clone call in minijail_run_internal. Change-Id: Ib7dc11e7c783eda93b899ef4b782846061d113d4 Signed-off-by: Dylan Reid <dgreid@chromium.org> 
Provide a method to fork and jail a child process. This is useful for
users that would normally call fork followed by minijail_enter in the
child. However this allows for user and pid namespaces to be set up by
the clone call in minijail_run_internal.

Change-Id: Ib7dc11e7c783eda93b899ef4b782846061d113d4
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Allow redirecting logging to an FD 2017-09-14T13:16:06+00:00 Luis Hector Chavez lhchavez@google.com 2017-09-06T03:36:58+00:00 114a930ff5d9ad3e2f0bcf0320526e904e511634 This change allows redirection of logging facilities, from syslog to a file. Bug: None Test: make tests // see logging in stderr Change-Id: Ia45ccb87908f1d4a2f7964a01d11a74da6e9fdb7 
This change allows redirection of logging facilities, from syslog to a
file.

Bug: None
Test: make tests  // see logging in stderr
Change-Id: Ia45ccb87908f1d4a2f7964a01d11a74da6e9fdb7
Add a pre-chroot hook 2017-09-14T03:40:26+00:00 Luis Hector Chavez lhchavez@google.com 2017-09-13T20:18:59+00:00 64730afc5eccafd2a59dbd912bd8788f2fcbe821 This hook can be used to perform some setup in the mount namespace, prior to calling chroot(2)/pivot_root(2). Bug: 65462041 Change-Id: If4399c3642d86a107de4849a328836e9fc0ccdbf Test: hook is called in the appropriate place 
This hook can be used to perform some setup in the mount namespace,
prior to calling chroot(2)/pivot_root(2).

Bug: 65462041
Change-Id: If4399c3642d86a107de4849a328836e9fc0ccdbf
Test: hook is called in the appropriate place
minijail: Add a way to allow arbitrary fd redirects 2017-08-14T21:59:25+00:00 Luis Hector Chavez lhchavez@google.com 2017-08-02T01:32:30+00:00 1617f637380ee38039b1a650d4f417c11d8dcb5e This change allows for the parent to redirect arbtitrary file descriptors into the child, in a way that works even when the minijail_close_open_fds() is used. This can be used to pass in additional pipes to the jailed process. Bug: 63904978 Test: make tests Change-Id: Ia47eec575c92a08eb5380cc15dc4561572a209b3 
This change allows for the parent to redirect arbtitrary file
descriptors into the child, in a way that works even when the
minijail_close_open_fds() is used.

This can be used to pass in additional pipes to the jailed process.

Bug: 63904978
Test: make tests
Change-Id: Ia47eec575c92a08eb5380cc15dc4561572a209b3
minijail: Add minijail_add_hook() 2017-07-28T14:12:32+00:00 Luis Hector Chavez lhchavez@google.com 2017-07-20T22:12:22+00:00 e0ba4cebe680a5076623c7f00e419c7def72931e This allows callers to add hooks to be invoked at various events during minijail setup. This is useful to e.g. setup SELinux contexts, networking in the new namespace, and install other LSM-related stuff. Bug: 63904978 Test: make tests Change-Id: I3e773715ec1842db8071f5e993ee4bdcbe2d0082 
This allows callers to add hooks to be invoked at various events during
minijail setup. This is useful to e.g. setup SELinux contexts,
networking in the new namespace, and install other LSM-related stuff.

Bug: 63904978
Test: make tests

Change-Id: I3e773715ec1842db8071f5e993ee4bdcbe2d0082
minijail: Allow skipping setting securebits when restricting caps 2017-07-11T18:15:41+00:00 Luis Hector Chavez lhchavez@google.com 2017-06-30T03:29:57+00:00 ec0a2c1023801b875fed9eb514eb29207d657e3f This change allows the user to optionally skip setting a subset of the securebits that are automatically set when restricting caps. Bug: 63069223 Test: $ gcc -static -xc -o securebits - << EOF #include <stdio.h> #include <sys/prctl.h> int main() { printf("%x\n", prctl(PR_GET_SECUREBITS)); } EOF $ sudo ./minijail0 -c 1fffffffff --ambient ./securebits 2f $ sudo ./minijail0 -c 1fffffffff --ambient -B 2f ./securebits 0 Change-Id: Ie247302bbbb35f04caa2066541a8c175f6c94976 
This change allows the user to optionally skip setting a subset of the
securebits that are automatically set when restricting caps.

Bug: 63069223
Test: $ gcc -static -xc -o securebits - << EOF
      #include <stdio.h>
      #include <sys/prctl.h>

      int main()
      {
              printf("%x\n", prctl(PR_GET_SECUREBITS));
      }
      EOF
      $ sudo ./minijail0 -c 1fffffffff --ambient ./securebits
      2f
      $ sudo ./minijail0 -c 1fffffffff --ambient -B 2f ./securebits
      0

Change-Id: Ie247302bbbb35f04caa2066541a8c175f6c94976
Add the ability to set rlimits on the jailed process 2017-06-29T19:46:46+00:00 Dylan Reid dgreid@chromium.org 2017-06-06T22:42:49+00:00 0f72ef4240eede66e73f380d5fd7e1e9104de6ce Currently Chrome OS relies on upstart to configure these limits but that isn't available when using libminijail from session manager. Add it so runtime limits can be configured for Android and other containers. BUG=none TEST=updated security_Minijail0 and manually check /proc/xxx/limits of jailed process. Change-Id: I62ed63c89c9c5196b7d9873520b396c9524e5855 Signed-off-by: Dylan Reid <dgreid@chromium.org> 
Currently Chrome OS relies on upstart to configure these limits but
that isn't available when using libminijail from session manager.  Add
it so runtime limits can be configured for Android and other containers.

BUG=none
TEST=updated security_Minijail0 and manually check /proc/xxx/limits of
jailed process.

Change-Id: I62ed63c89c9c5196b7d9873520b396c9524e5855
Signed-off-by: Dylan Reid <dgreid@chromium.org>